Amazon EBS Encryption

Amazon EBS encryption offers you a simple encryption solution for your EBS volumes
without the need
for you to build, maintain, and secure your own key management infrastructure. When
you
create an encrypted EBS volume and attach it to a supported instance type, the following
types of data are encrypted:

Data at rest inside the volume

All data moving between the volume and the instance

All snapshots created from the volume

The encryption occurs on the servers that host EC2 instances, providing
encryption of data-in-transit from EC2 instances to EBS storage.

Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys
(CMK) when creating encrypted
volumes and any snapshots created from them. The first time you create an encrypted
volume
in a region, a default CMK is created for you automatically. This key is used for
Amazon EBS encryption unless you select a CMK that you created separately using AWS
KMS. Creating your
own CMK gives you more flexibility, including the ability to create, rotate, and disable
keys to define access controls, and to audit the encryption keys used to protect your
data.
For more information, see the AWS Key Management Service Developer Guide.

This feature is supported with all EBS volume types (General Purpose SSD [gp2], Provisioned IOPS SSD [io1],
Throughput Optimized HDD [st1], Cold HDD [sc1], and Magnetic [standard]). You can expect the same
IOPS performance on encrypted volumes as you would with unencrypted volumes, with
a minimal
effect on latency. You can access encrypted volumes the same way that you access unencrypted
volumes. Encryption and decryption are handled transparently and they require no additional
action from you, your EC2 instance, or your application.

Snapshots that are taken from encrypted volumes are automatically encrypted. Volumes
that
are created from encrypted snapshots are also automatically encrypted. Public snapshots
of
encrypted volumes are not supported, but you can share an encrypted snapshot with
specific
accounts if you take the following steps:

Amazon EBS encryption is only available on certain instance types. You can attach
both encrypted
and unencrypted volumes to a supported instance type. For more information, see Supported Instance Types.

Encryption Key Management

Amazon EBS encryption handles key management for you. Each newly created volume is
encrypted
with a unique 256-bit key. Any snapshots of this volume and any subsequent volumes
created from those snapshots also share that key. These keys are protected by AWS
key
management infrastructure, which implements strong logical and physical security
controls to prevent unauthorized access. Your data and associated keys are encrypted
using the industry standard AES-256 algorithm.

You cannot change the CMK that is associated with an existing snapshot or encrypted
volume. However, you can associate a different CMK during a snapshot copy operation
(including encrypting a copy of an unencrypted snapshot) and the resulting copied
snapshot use the new CMK.

Each AWS account has a unique master key that is stored separately from your data,
on a system that is surrounded with strong physical and logical security controls.
Each
encrypted volume (and its subsequent snapshots) is encrypted with a unique volume
encryption key that is then encrypted with a region-specific secure master key. The
volume encryption keys are used in memory on the server that hosts your EC2 instance;
they are never stored on disk in plaintext.

Supported Instance Types

Amazon EBS encryption is available on the instance types listed in the table below.
These
instance types leverage the Intel AES New Instructions (AES-NI) instruction set to
provide faster and simpler data protection. You can attach both encrypted and
unencrypted volumes to these instance types simultaneously.

Changing the Encryption State of Your
Data

There is no direct way to encrypt an existing unencrypted volume, or to remove
encryption from an encrypted volume. However, you can migrate data between encrypted
and
unencrypted volumes. You can also apply a new encryption status while copying a
snapshot:

While copying an unencrypted snapshot of an unencrypted volume, you can
encrypt the copy. Volumes restored from this encrypted copy are also
encrypted.

While copying an encrypted snapshot of an encrypted volume, you can
re-encrypt the copy using a different CMK. Volumes restored from the encrypted
copy are only accessible using the newly applied CMK.

You cannot remove encryption from an encrypted snapshot.

Migrate Data between Encrypted and Unencrypted Volumes

When you have access to both an encrypted and unencrypted volume, you can freely
transfer data between them. EC2 carries out the encryption or decryption operations
transparently.

Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For
Linux instances, you can create a mount point at
/mnt/destination and mount the destination volume
there.

Copy the data from your source directory to the destination volume. It may
be most convenient to use a bulk-copy utility for this.

Linux

Use the rsync command as follows to copy the data from
your source to the destination volume. In this example, the source data is
located in /mnt/source and the destination volume is
mounted at /mnt/destination.

At a command prompt, use the robocopy command to copy
the data from your source to the destination volume. In this example, the
source data is located in D:\ and the destination
volume is mounted at E:\.

Copy

PS C:\> robocopy D:\ E:\ /e /copyall /eta

Apply Encryption While Copying a Snapshot

Because you can apply encryption to a snapshot while copying it, another path to
encrypting your data is the following procedure.

To encrypt a volume's data by means of snapshot copying

Create a snapshot of your unencrypted EBS volume. This snapshot is also
unencrypted.

Copy the snapshot while applying encryption parameters. The resulting
target snapshot is encrypted.

Restore the encrypted snapshot to a new volume, which is also encrypted.

Re-Encrypt a Snapshot with a New CMK

The ability to encrypt a snapshot during copying also allows you to re-encrypt an
already-encrypted snapshot that you own. In this operation, the plaintext of your
snapshot is encrypted using a new CMK that you provide. Volumes restored from the
resulting copy are only accessible using the new CMK.

In a related scenario, you may choose to re-encrypt a snapshot that has been
shared with you. Before you can restore a volume from a shared encrypted snapshot,
you must create your own copy of it. By default, the copy is encrypted with the key
shared by the snapshot's owner. However, we recommend that you re-encrypt the
snapshot during the copy process with a different key that you control. This
protects your access to the volume if the original key is compromised, or if the
owner revokes the key for any reason.

The following procedure demonstrates how to re-encrypt a snapshot that you
own.

Create a snapshot of your encrypted EBS volume. This snapshot is also
encrypted with your default CMK.

On the Snapshots page, choose
Actions, Copy.

In the Copy Snapshot window, supply the complete ARN
for your custom CMK (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the Master
Key field, or choose it from the menu. Choose
Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted
with your custom CMK.

The following procedure demonstrates how to re-encrypt a shared encrypted snapshot
as you copy it. For this to work, you need access permissions to both the shared
encrypted snapshot and to the CMK that encrypted it.

To copy and re-encrypt a shared snapshot using the console

Select the shared encrypted snapshot on the Snapshots
page and choose Actions,
Copy.

In the Copy Snapshot window, supply the complete ARN
for a CMK that you own (in the form arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef) in the
Master Key field, or choose it from the menu.
Choose Copy.

The resulting copy of the snapshot—and all volumes restored from it—are encrypted
with the CMK that you supplied. Changes to the original shared snapshot, its
encryption status, or the shared CMK have no effect on your copy.